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Title: UNIMODULAR MATRIX-BASED MESSAGE AUTHENTICATION 
CODES (MAC) 

TECHNICAL FIELD 

The present invention relates generally to data protection, and more particularly to 
systems and methods for providing a message authentication code based on unimodular 
matrices. 

BACKGROUND OF THE INVENTION 

Since the beginning of the digital revolution, there has always been a concern that 
not all of the digital bits sent from point A to point B will arrive intact. This is because, 
whether malicious or non-malicious attacks, the digital information sometimes arrived in 
an altered state at its destination. Depending on the criticality of the transmitted data, the 
altered information could be inconsequential or might be of significant importance such 
as transferring one million dollars to a bank account instead of one hundred dollars to a 
bank account. Therefore, a means to verify and check data is required to ensure that what 
information was sent actually arrived in the same form. Additionally, especially in the 
banking example just mentioned, it is also highly desirable to ensure that the data came 
from a particular source. Thus, it is necessary to also have a means to verify and/or 
identify the sender of the information. Otherwise an individual could just send the 
information to the bank and transfer money into their account at will. Likewise, it is also 
desirable to hide, or encrypt, the information being sent so that other parties cannot view 
the data. All of these desirable characteristics for transmitted data tend to have equal 
importance for secure data transmissions in today's digital environment. 

One way to ensure that data arrives exactly as it was sent is to provide 
information along with the transmitted data that provides a method to double check that 
all of the data bits have been received and, sometimes, even that they are in a particular 
order. This is often accomplished with a "checksum" value that is sent or appended to 
the transmitted data. This checksum can be as simple as the value of adding up all the 
bits or as complicated as a value that can indicate, to a high degree of probability, the 
order and value of all the digital bits. Thus, checksum methods can be quite complex, 
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depending on the depth of checking required in a given circumstance. Critical data, for 
example, such as airplane flight control information, can require extremely thorough 
checksum values. Other means of ensuring data integrity can include sending redundant 
copies of the data and doing a data comparison at the receiving end. This is valid as long 
5 as the attacks to the data tend to be non-malicious and random. A malicious attack or a 
reoccurring error can affect all redundant copies of the data, yielding no means to 
adequately decide which data set is correct. 

It is also desirable to be able to authenticate that data was sent by a particular 
party. Thus, when an email is received, for example, one assumes that it was sent from 

10 the party in the "from-line" of the email. However, as is common with email viruses, the 
virus sends emails to users in an address book of an infected computer and alters the 
from-line so that the emails appear to be from someone other than the virus program. 
Therefore, if the received communication is of a highly critical nature, the receiving party 
would like to be ensured that the email originated from the sender and not from anyone 

15 else. This is especially important in a business environment where the digital information 

is utilized to make business decisions and to conduct business transactions. It is also 
critical in medical settings such as transmitting drug prescriptions and medical 
information and the like. 

As the digital age has progressed, it has become very easy to send, receive, and 

20 manipulate digital data. Although this digitally-provided power is typically utilized to 

enhance and enrich society, it can also be utilized to maliciously alter and/or intercept 
data. People, along with businesses, often tend to send information that is of a sensitive 
nature, and they do not want it to be disseminated to parties other than those to which the 
data was sent. Therefore, if the data is intercepted by a third party, they would like the 

25 data to be meaningless to that third party. This is typically done by encrypting data 
utilizing a "key." The data can then only be unlocked by possessing and utilizing the 
digital unlock key. Generally, to gain more security, the encryption key is lengthened to 
contain more digital bits. The encrypting method can also become extremely complex in 
order to provide even more security for the transmitted data. 

30 As technology has progressed in the aforementioned data protection areas, it has 

tended to somewhat merge into overlapping methods that provide data protection in 
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multiple facets. Thus, an authentication method that verifies who the data was sent from 
is often also combined with an encryption scheme to hide the data from third parties. 
Likewise, an encryption scheme might also provide a data integrity scheme, and a data 
integrity scheme might also be utilized to verify who sent the digital data. Some current 

5 authentication schemes utilize "public keys" and "secret" or private keys to facilitate 

authentication. These methods often incorporate a "message authentication code" or MAC 
that is a hash value (a fixed length digital code) that is representative of the actual input 
data. The MAC is typically encrypted along with the data itself and sent to a party. The 
party then decrypts the data and generates a new MAC on the data. The received MAC and 

0 the new generated MAC are then compared to verify that the data is intact and can 
sometimes also be utilized to authenticate the sender of the information. 

As society creates more and more digital information, the sizes of transmitted data 
also increase dramatically. Thus, despite advances in technology with regard to faster 
processors and better data management, the amount of digital information being sent can 

5 be immense. This creates a workload for digital protection schemes that can become 

overwhelming for a particular process. Typically, users will not tolerate lengthy delays 
after they command data to be transmitted. This additional time for providing data 
protection is seen as an encumbrance to this method of data transmission. Although a 
user deems the protection necessary, time constraints may cause a user to by-pass data 

0 protection in order to timely send out large amounts of data, exposing the data to 

interception/disclosure, spoofing, and alterations. Efficient, secure, and adjustable data 
protection schemes can provide businesses and individual users alike with the capability 
to expand beyond their current data size limitations without limiting their data protection 
due to intolerance of data protection overhead costs. 



SUMMARY OF THE INVENTION 

The following presents a simplified summary of the invention in order to provide 
a basic understanding of some aspects of the invention. This summary is not an extensive 
overview of the invention. It is not intended to identify key/critical elements of the 
invention or to delineate the scope of the invention. Its sole purpose is to present some 
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concepts of the invention in a simplified form as a prelude to the more detailed 
description that is presented later. 

The present invention relates generally to data protection, and more particularly to 
systems and methods for providing a message authentication code based on unimodular 

5 matrices. The invertibility of determinants of these types of matrices is leveraged to 

provide a universal hash function means with reversible properties and high speed 
performance. This provides, in one instance of the present invention, length controllable 
hash values comprised of vector pairs that can be processed as one instruction in a SIMD 
(single instruction, multiple data) equipped computational processor, where the vector 

10 pair is treated as a double word. By providing single instruction processible hash values, 
one instance of the present invention can compute the hash values at a 500 megabyte per 
second input data rate on a 1 .06 gigahertz processor. The characteristics of the present 
invention permit its utilization in streaming cipher applications, and it can be utilized to 
provide key data to seed the ciphering process. Additionally, the present invention can 

1 5 utilize smaller key lengths than comparable mechanisms via inter-block chaining, can be 

utilized to double hash values via performing independent hash processes in parallel, and 
can be employed in applications that require its unique processing characteristics. Thus, 
the present invention provides a high performance hash value generation means that can 
also be utilized to facilitate cipher key seeding and utilized to facilitate other data 

20 protection schemes, such as, for example, checksumming and the like. 

To the accomplishment of the foregoing and related ends, certain illustrative 
aspects of the invention are described herein in connection with the following description 
and the annexed drawings. These aspects are indicative, however, of but a few of the 
various ways in which the principles of the invention may be employed and the present 

25 invention is intended to include all such aspects and their equivalents. Other advantages 

and novel features of the invention may become apparent from the following detailed 
description of the invention when considered in conjunction with the drawings. 
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BRIEF DESCRIPTION OF THE DRAWINGS 

FIG. 1 is a block diagram of a data transformation system in accordance with an 
aspect of the present invention. 
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FIG. 2 is another block diagram of a data transformation system in accordance 
with an aspect of the present invention. 

FIG. 3 is a block diagram of a data encryption system in accordance with an 
aspect of the present invention. 
5 FIG. 4 is a block diagram of a reversible data transformation system in 

accordance with an aspect of the present invention. 

FIG. 5 is a graph illustrating the k -invertibility of in accordance with an 
aspect of the present invention. 

FIG. 6 is a graph illustrating the k -invertibility of B t versus the log, 5 / in 
1 0 accordance with an aspect of the present invention. 

FIG. 7 is a flow diagram of a method of facilitating data transformation in 
accordance with an aspect of the present invention. 

FIG. 8 is another flow diagram of a method of facilitating data transformation in 
accordance with an aspect of the present invention. 
1 5 FIG. 9 is yet another flow diagram of a method of facilitating data transformation 

in accordance with an aspect of the present invention. 

FIG. 10 is a flow diagram of a method of facilitating a data transformation value 
length in accordance with an aspect of the present invention. 

FIG. 1 1 is a flow diagram of a method of facilitating inter-block chaining for a 
20 data transformation in accordance with an aspect of the present invention. 

FIG. 12 is a flow diagram of a method of facilitating data encryption in 
accordance with an aspect of the present invention. 

FIG. 13 illustrates an example operating environment in which the present 
invention can function. 

25 FIG. 14 illustrates another example operating environment in which the present 

invention can function. 

DETAILED DESCRIPTION OF THE INVENTION 

The present invention is now described with reference to the drawings, wherein 
30 like reference numerals are used to refer to like elements throughout. In the following 

description, for purposes of explanation, numerous specific details are set forth in order 
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to provide a thorough understanding of the present invention. It may be evident, 
however, that the present invention may be practiced without these specific details. In 
other instances, well-known structures and devices are shown in block diagram form in 
order to facilitate describing the present invention. 

As used in this application, the term "component" is intended to refer to a 
computer-related entity, either hardware, a combination of hardware and software, 
software, or software in execution. For example, a component may be, but is not limited 
to being, a process running on a processor, a processor, an object, an executable, a thread 
of execution, a program, and/or a computer. By way of illustration, both an application 
running on a server and the server can be a computer component. One or more 
components may reside within a process and/or thread of execution and a component 
may be localized on one computer and/or distributed between two or more computers. A 
"thread" is the entity within a process that the operating system kernel schedules for 
execution. As is well known in the art, each thread has an associated "context" which is 
the volatile data associated with the execution of the thread. A thread's context includes 
the contents of system registers and the virtual address belonging to the thread's process. 
Thus, the actual data comprising a thread's context varies as it executes. 

The present invention provides a MAC construction based on modular groups. 
Each input is embedded into a sequence of matrices with determinant ±1 , the product of 
which yields a desired MAC. The invertibility and the arithmetic properties of the 
determinants of certain types of matrices are utilized for analysis and can be of interest in 
other applications. Algorithms to compute message authentication codes (macs) are 
important in security applications, and the task of constructing them rigorously and 
efficiently is well-studied. Recent algorithms have utilized a secret key to map an input 
into a short binary string, and then secure the result with a block cipher or traditional 
secure hash. The present invention provides a method for the first step, the so-called 
universal hash function. It provides a construction based on modular groups that is 
competitive or better than other methods. The present invention can also be utilized with 
document indexing and retrieval, document integrity checking for databases and secure 
networks, and web search and server applications and the like. 
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In FIG. 1, a block diagram of a data transformation system 100 in accordance 
with an aspect of the present invention is shown. The data transformation system 100 is 
comprised of a unimodular matrix-based data transformation component 1 02 that 
transforms input data X 104 and outputs data for applications such as authentication 
5 applications 106, integrity applications 108, and other applications 1 10. The other 
applications 1 10 can be comprised of, but are not limited to, applications such as 
encryption, web search, and server applications and the like. In another instance of the 
present invention, the unimodular matrix-based data transformation component 102 can 
output data in the form of a message authentication code (mac) for utilization with 

10 authentication applications 106 and/or integrity applications 108 and the like. Thus, the 
MAC not only provides an indication of who sent the data, but can also be utilized to 
determine if the input data X 104 has been altered. The unimodular matrix-based data 
transformation component 102 receives the input data X 104 and transforms it into a 
transformation value utilizing at least one secret key 1 12 and at least one public key 114. 

15 The public key 1 14 can be comprised of public matrices with determinants of +/- 1 . 

Generally, in one instance of the present invention, the unimodular matrix-based data 
transformation component 102 generates the transformation value in the format of a 
vector pair from a unimodular group employing the public matrices. Details of the 
processing of the input data X 104 are discussed infra. 

20 Referring to FIG. 2, another block diagram of a data transformation system 200 in 

accordance with an aspect of the present invention is illustrated. The data transformation 
system 200 is comprised of a unimodular matrix-based data transformation component 
202 that receives input data X 204 and outputs MAC data 206. The unimodular matrix- 
based data transformation component 202 is comprised of a hash mapping component 

25 208 and an optional encryption component 210. The hash mapping component 208 

receives the input data X 204 and transforms the input data X 204 into a hash value 
utilizing keys 212 and a universal hash function with reversible properties. The resulting 
hash value can then be output as the MAC data 206 and/or it can be encrypted via the 
optional encryption component 210 and then output as an encrypted form of the mac data 

30 206. The hash mapping component 208 maps the input data X 204 by processing it with 
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keys 212 that provide authentication and/or data integrity characteristics and the like to 
the calculated hash value. 

Looking at FIG. 3, a block diagram of a data encryption system 300 in accordance 
with an aspect of the present invention is depicted. The data encryption system 300 is 
5 comprised of a MAC generation component 302, a MAC encryption component 304, and a 
cipher component 306 utilizing at least one key 308. The data encryption system 300 
receives input data X 310, transforms and encrypts the input data X 310, and then 
outputs encrypted data 312. The encrypted data 3 12 is comprised of an encrypted form 
of the input data X 3 10 and an encrypted form of a MAC relating to the input data X 

10 3 1 0. In other instances of the present invention, the MAC can be appended to the 

encrypted form of the input data X 310 without being encrypted and/or the MAC 
generation component 302 can solely be utilized to seed the cipher component 306. In 
the present instance of the present invention, the input data X 3 10 is received by both 
the MAC generation component 302 and the cipher component 306. The MAC generation 

1 5 component 302 transforms the input data X 3 10 into a hash value utilizing unimodular 

matrices and outputs the hash value to the MAC encryption component 304. Since the 
present invention's operations are invertible, they can be combined with authentication 
and encryption via employment of stream ciphers that utilize a final hash value to define 
a key for generation of a one-time pad. Thus, the MAC generation component 302 also 

20 produces seed data for the key 308 of the cipher component 306. In this instance of the 
present invention, the cipher component 306 utilizes a function to encrypt the received 
input data X 3 10 in the form of y i = a i x i , where a. and b i are random key words 

and a i x i is generated by the MAC generation component 302. The cipher component 306 

then outputs the encrypted form of the input data X 310 as a portion of the encrypted 
25 data 312. 

Turning to FIG. 4, a block diagram of a reversible data transformation system 400 
in accordance with an aspect of the present invention is shown. The reversible data 
transformation system 400 is comprised of a data converter component 402 and a data 
inverter component 404. In other instances of the present invention, the reversible data 
30 transformation system 400 can be comprised solely of the data converter component 402 
or solely of the data inverter component 404. In this example of the present invention, 
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the reversible data transformation system 400 receives input data X 406 and employs the 
data converter component 402 to transform it via a unimodular matrix-based 
transformation process into transformed data 408. The transformed data is then received 
by the data inverter component 404, and the transformation process is reversed, 

5 producing output data X 410. The data converter component 402 is typically comprised 

of a unimodular matrix-based data transformation component. Thus, the transformed 
data can be a hash of the input data X 406. Generally, a hash is defined as a one-way 
transformation of data into a fixed-length representation. However, the present invention 
provides a means to reverse the hash and derive relevant information as to the content of 

10 input data X 406 and/or characteristics related to authentication of the input data X 

406. This is a characteristic only provided by the present invention. 

The unique qualities of the present invention are better perceived by 
understanding the context of the present invention. Algorithms to compute message 
authentication codes (MAC) are important in security applications, and the task of 

1 5 constructing them rigorously and efficiently has been a subject of many technological 

endeavors. An introduction can be found in Alfred J. Menezes, Paul C. van Oorschot, 
and Scott A. Vanstone; Handbook of Applied Cryptography; CRC Press, 1997. 

Recent MAC algorithms utilize a secret key K to map an input X into a short 
binary string h = H K (X) of some fixed length [see, (J. Black, S. Halevi, H. Krawczyk, 

20 T. Krovetz, and P. Rogaway; UMAC: Fast and Secure Message Authentication; Lecture 

Notes in Computer Science, 1666:216-233, 1999), (S. Halevi and H. Krawczyk; MMH: 
Software Message Authentication in the Gbit/Second Rates; In Fast Software Encryption, 
pages 172-189, 1997), (Phillip Rogaway; Bucket Hashing and Its Application to Fast 
Message Authentication; Journal of Cryptology: the Journal of the International 

25 Association for Cryptologic Research, 12(2):91-1 1 5, 1999), (M. Bellare, R. Canetti, and 
H. Krawczyk; Keying Hash Functions for Message Authentication; Lecture Notes in 
Computer Science, 1 109, 1996), (V. Shoup; On Fast v and Provably Secure Message 
Authentication Based on Universal Hashing; Lecture Notes in Computer Science, 1 109, 
1996), and (M. H. Jakubowski and R. Venkatesan; The Chain and Sum Primitive and Its 

30 Applications to MACs and Stream Ciphers; In Advances in Cryptology — EUROCRYPT 
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'98, volume 1403 of Lecture Notes in Computer Science, pages 281-293 ; Springer- 
Verlag, 1998)]. 

After the mapping is completed, h is encrypted utilizing a block cipher. If the 
cipher acts as a random permutation, the encryptions of the hash values of q 

5 distinct inputs X v ...,X q can not be distinguished from truly random outputs of the 
corresponding length, if the hash values h, = H K {X,) are distinct. Thus, if a secure 
cipher is utilized, the collision properties of the hash function determine the security of 
the MAC. The main parameter of interest for a MAC algorithm is the collision probability 
?r K [H K (X) = H K (X')], where X and X' are arbitrary and distinct inputs. If the 

1 0 collision probability is the inverse of the size of the range of the hash, regardless of the 
choice of inputs, the hash function is called a universal hash function (see, Carter and 
Wegman; New Hash Functions and Their Use in Authentication and Set Equality; 
Journal of Computer and System Sciences, 22(3):265-279, 1981). This approach has 
enabled construction families of hash functions with quantifiable collision probabilities 

15 that are remarkably fast in practice. The initial mapping X h» h and its collision 

probability is a focal point, and it is assumed for simplicity that all inputs have the same 
length and can be subdivided into blocks evenly. 

To better understand the present invention's construction, it is helpful to review 
some earlier construction techniques. In one such technique, an evaluation MAC 

20 identifies an input message X = x x , . . . x m • with a polynomial of degree m over a suitable 
field and computes the map a i-> x,a' for a random a . Bernstein's hashl27 
(D. Bernstein; Floating-point Arithmetic and Message Authentication; Draft available at 
http : //cr . yp . to/papers /hashi27 . dvi) implements a polynomial evaluation hash 
utilizing floating-point operations in an efficient and platform independent manner. 

25 Many MAC constructions utilize a standard iterative rule y, = f (x, + y,_, ) , where 

v, are the intermediate values and various methods utilize different f 's. In the 
evaluation MAC, fix) = f(x) = ax , the iteration is Horner's rule and y m is the final 
value. If one takes f = f(x) = E K (x) to be a block cipher, one gets the CBC mac [see, 
The Security of the Cipher Block Chaining Message Authentication Code (M. Bellare, J. 
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Kilian, and P. Rogaway; Journal of Computer and System Sciences, 61(3):362-399, 
2000) for an analysis and On Fast andProvably Secure Message Authentication Based 
on Universal Hashing (Shoup, 1996) for an efficient implementation]. 

The chain and sum method (Jakubowski and Venkatesan, 1998) doubles the 

5 length of the hash in a one-pass computation by outputting the pair (y t , X y f ) • It is 

similar to the evaluation MAC, except it alternates two random affine transformations / 
and g of the form x M> ax + b . That is, f f = / for odd i , and f.=g for even / . To 
improve the present invention's collision probabilities, the summing method is utilized, 
which was employed in The Chain and Sum Primitive and Its Applications to MACs and 
10 Stream Ciphers (Jakubowski and Venkatesan, 1998) to obtain a pseudo-random 

permutation on X by further encrypting y l9 ...y tm . 2 with a one-time pad derived from (y n 

Xx-) utilizing a stream cipher and encrypting (>>,, with a block cipher. 

These methods work over a field, where operations are typically expensive on 
standard processors. Working instead with modulo 2* is advantageous and the fastest 

15 MACs utilize this method. However, the ring of integers modulo 2 l does not have the 

invertibility which is crucial for analysis. For example, for x*x , the function 
/ (x) = ax +6 over a field has an invertible output differential f(x) - f(x f ) = a(x - x ( ) 
in the sense that it is uniformly distributed if a is randomly chosen. However, for 
modulo 2 f , this changes sharply. If 2* | (x - x')m , then 2 k \ (y - y') , and if k = £ - 1 the 

20 output is distributed as a set of size 2 for a random odd a . The present invention 

constructs reversible transformations that are suitable for MAC and other applications. 
Proof for the present invention mimics the proof in the finite field case, except the present 
invention's equations involve coefficients from matrix groups. 

UMAC (see, Black, Halevi, Krawczyk, Krovetz, and Rogaway, 1999) is an 

25 efficient MAC algorithm that achieves high speeds by utilizing SIMD instructions 
available on many CPUs for media processing. UMAC utilizes the iteration 
X=/fe^2/ + i) + ^-, 5 where /(Vi) = (*o+*oM*,+*i)- Here the *, are secret 
random words, and the multiplication is reduced at twice the word size of the x i . For 
example, the x i are 32 bits, and the y. 64 bits. In UMAC: Fast and Secure Message 
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Authentication (see, id), it is shown that the reduction modulo powers of two, while not 
totally universal, is nearly so. Leveraging the media processing instruction set allows 
UMAC to achieve a rate faster than a byte per cycle, meaning gigabyte per second rates on 
today's processors. 

5 Klimov and Shamir (see, A. Klimov and A. Shamir; A New Class of Invertible 

Mappings; Crypto 2001 Rump Session) constructed an elegant family of invertible 
mappings (modulo 2*) that combine arithmetic and boolean operations to get non-linear 
maps for utilization in cryptographic primitives. The present invention can incorporate 
these functions after they have been randomized and modified per the present invention 
1 0 to have suitable differential properties. 

The present invention's inputs are broken into blocks of length t words, each of 
size I -bits. A given t -bit input jc. is embedded into a 3 x 3 matrix B i over the ring of 



integers modulo 2 e by x i h-> 



00 1 



=: B i , where v. = /(*,.) is a vector with two 



elements, and A } is a 2 x 2 matrix with det(4) = ±1 ; here the sequence of A i 's is fixed 
15 independent of the input x i . The A. sequence utilized by the present invention is 

periodic, so that the implementation can be unrolled and have a small code footprint. The 
function, f^x) , is defined by multiplication with random odd a i , where a f and x are £ 

bits, and the 21 bit result is viewed as a vector of two t -bit numbers. Thus /(x) is 

invertible modulo 2 2i and can be implemented in one instruction utilizing the usual 2t - 
20 bit result of multiplication of two t -bit quantities. 

'A z 
00 1 

computed. The output of the present invention's hash value is the pair (z 9 ^ M v, ) . The 

collision probability is substantially near 2~ 2£ by utilizing the invertibility of A and the 

arithmetic properties of the determinants of the matrices of the form [[._. A l -I over Z 

25 (and not modulo 2 e ) . The present invention offers simplicity and can also facilitate 

applications other than macs as well. 



For each block of input, the product B = 



of these matrices 5, is 
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The present invention's construction can be viewed in a more general manner. 
Let G = SLiC^) and H = Z*, , so that G is the group of unimodular matrices over 

multiplication, and H is the group of 2-dimensional vectors modulo 2* over addition. 
The natural homomorphism taking elements of G to automorphisms of H via the 
5 matrix-vector product defines a semidirect product G * H . The present invention's 

block hash is then an embedding of the input into G * H by mapping x i to (4, /(*.)) . 
The product of these elements is that over G «x H . Given appropriate , the present 

invention's construction can be generalized to larger matrices. 

Many efficient mac algorithms are available [see, (Shoup, 1996), (Halevi and 
10 Krawczyk, 1997), (Black, Halevi, Krawczyk, Krovetz, and Rogaway, 1999), (Rogaway, 
1999), and (Bernstein). Several work by expanding a short key to a large key for an inner 
hash function utilizing a pseudo-random generator; the large key can amount to a fraction 
of the length to be hashed. However, the present invention's algorithm requires less key 
to be generated than algorithms such as UMAC. This is highly desirable in some 
15 applications. 

Even though the present invention is slower than the fastest algorithm, UMAC 
(Black, Halevi, Krawczyk, Krovetz, and Rogaway, 1999), it is still very competitive and 
is even better than other algorithms. Unlike UMAC, however, the present invention's 
construction is interesting in its own right and can lend itself to other applications besides 
20 MACS. Through optimization, the present invention can improve the speed of its 
algorithm and reduce the amount of key utilized. 

The present invention's methods also provide a model for checksumming. 
Detailed infra, it is shown that any two inputs that collide within a block must differ in at 
least two locations. The collision probability of the present invention's mac is much 
25 smaller if the input differs in at least three locations. While this is not substantially 
helpful in an adversarial context, when utilizing the present invention's MAC as a 
checksum, it can provide such a guarantee. Generalizing this notion, a d-semi-universal 
hash is defined to be one where the collision probability of two inputs that differ in d 
locations is nearly that of colliding with an independently chosen element of the range. 
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The present invention's algorithm is a 3 -semi-universal hash and more efficient variants 
can be ^-semi-universal for larger d . 

In order to fully appreciate the present invention, several conventions are utilized 
as follows. Fix a modulus m = 2 i , for example, t = 32 . A word refers to an element of 
5 Z = ZlmZ and a double word to an element of Z 2 . Hence, words can be thought of as 

£ bit integers and double words as 2£ bit integers. All operations take place over words, 
that is, over Z m , unless otherwise specified. The ability of modern processors to multiply 
two words to produce a double word in a single instruction is exploited; this operation is 
denoted as x, . For x,y eZ m , xx. y is in Z 2 m , that is, the result is viewed as a two word 
10 vector. If necessary, the input is padded to consist of an integral number of words. For 
simplicity, an input consists of b blocks, each of which has a fixed block length of t 
words. 

Typically data is processed by blocks. Thus, the present invention's construction 
is described for a map v that sends an input block X = x x into I -bit hash value 

15 v = v(X) . The block key consists of £ -bit words a i , for 1 < / < t ; the same key is reused 

with each block. f i :Z m -^Z 2 m is defined by f t (x) = a, x * x . The present invention's 
algorithm utilizes fixed public matrices A v ...,A t . These can contain very small entries so 
that matrix products can be implemented very efficiently by addition and subtraction of 
words. 

20 Let v. be the column vector of two words equal to Define matrices B n B 



and for i > 0 , 
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and B Q , which have the form 
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0 0 1 



A z 
0 0 1 



(Eq. 1) 
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\ 



It is clear that B can be written as above; z is the first two components of the third 
column of B and A has determinant ±1 . z 0 is an initial value for the block. Also 
computed is: 

t 



1=1 



where <r 0 is another initial value for the block. The hash value is v(X) = (z,cr) . 

Other instances of the present invention can be employed to provide inter-block 
chaining. For example, assume the A;* block is associated with two uniform hash 
functions F^ and F} k) mapping double words to double words (the superscript is 
1 0 dropped if the block number is clear from the context). If (z', cr') is the output of a 
hashed block, this is chained to the next block by setting cr 0 = F 2 (<j') and: 



1 0 w 

B 0 = 0 1 1 
0 0 1 

15 as the initial values for the next block. These inter-block functions can be repeated to 

save on key length, at some cost of security, which is detailed infra. The exact definition 
of these functions is not extremely important for these applications. 

In other instances of the present invention, a hash value length can be doubled by 
performing an independent hash in parallel. Key words b n \ <i<t are utilized, which 

20 are independent of the a, and set the functions g n i<t , to g(x) = b ( x„ x . w ; = g,(x,) is 

defined and, as above, gets a map X h-» u(X) with the hash value u utilizing: 



4 «, 
00 1 



,c 0 -= 



1 0 

0 1 0 
0 0 1 



,C:=C o nC,=: 
<=i 



A w 
00 1 



. (Eq.2) 



25 Also computed is v = v 0 + £' <=] w, . The overall hash is now: 
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(V(J0,U(J0) = (Z,<7,W,V). 

Thus, the present invention provides a lengthened transformation value or hash 
5 value with a collision probability that can be based on the following theorem. 

Theorem 1: For t < 50 , if H = (z,a,w,v) and H' = (z',ct»') are /ias/2 
values computed from two distinct inputs, then: 

10 ?r[H = H']<2- Ae+2 °, 

where the probability is taken over the choice of key. 

This theorem follows directly from Lemmas 3 and 4 infra. It is noted that the theorem is 
1 5 not optimal, in that the choice for the matrices of Lemma 4 could be improved. 

The analysis of the hash of a single block is focused upon first, and it is assumed 
that B 0 = I for a 3 x 3 identity matrix. By repeated utilization of the identity: 



20 



'A v" 




" B u 




' AB 


Au + v 


0 0 1 




00 1 




00 


1 



in Equation (1): 



(Eq. 3) 



25 For two (not necessarily distinct) input blocks X and X' , = x p ...,x, and X' = xj, 

is written and v ', = /Gt',) is defined, z' and cr' are defined analogously to z and o*. 

The following technical lemma relating the distributive law of over vector 
subtraction is needed. In general, it is not true that a x.x - a x, x = a x, (x - x') 9 and, 
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thus, the operation is not linear. However, assuming jc * jc' , ax.x-ax.x' is nearly as 
likely to collide with any fixed value as ax, (jc-jc') . 

Lemma 1. Given any fixed words x*x' and any fixed double word a = (a, , a 2 ) , 

5 

Pr[a x. x - a x. x' = a) < 2~ t+2 , 

a 

where the probability is taken over uniformly chosen odd words aeZ m . 

10 Proof: For this proof, let • denote the usual multiplication over double words. 

By abusing notation, a • x = y is written for a, jc e Z m and y e Z m2 ; it is noted also 

in this case that there is no overflow, so that y = ax as integers. The crux of this 
lemma is the difference between subtraction over double words as integers 
modulo m 2 and subtraction over two-dimensional vectors modulo m . To make 
1 5 this distinction explicit, for an element x e Z^ 2 , [x] is written as the vector 

corresponding x , so that [x] e l? m . Then for double words y and z , if 
[y] ~ [*] = (Wp w 2 ) , then [y-z] = (w } -c, w 2 ) , where c is either 0 and 1 
depending on whether there is a carry between the low and high words or not. 
Let A be the set of all odd a that cause a collision, that is, for the fixed 
20 a = (a x , a 2 ) , all a such that [a • x] - [a • x'] = a for x and x' as in the statement 

of the lemma. Then for any a e A , [a • jc - a • x'] = (a, -c a ,a 2 ) , for c a = 0 or 1 . 
Given a, a' e ^4 with c a = , a • (jc - jc') = a' • (jc - jc') exists over the integers, so 
that as jc * x' , a = a' . Thus, ^ contains at most two elements, possibly one with 
carry 0 and possibly one with carry 1. As there are 2 e ~ l choices for odd a , the 
25 chance of choosing one in A is at most 2 • 2~ fM = 2~ M , as required. 

The hash function proper is now analyzed. 
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Lemma 2: If (z,a) = (z',cr f ) for distinct inputs X and X 1 , then X and X 1 
differ in at least two locations. 

Proof: Suppose not, so that x, = x] for all / * j 9 and jc y * Jt y for some y . Then 
5 a -a = flr y x y - a x„ x y . As a } is odd and hence an invertible map from 

Z m -> Z 2 m , cr * cr' , contradicting (z, cr) = (z',cr') . 

It is now known that colliding inputs have at least two distinct words - however, 
which words these are, is not known. This is where computing the hash as a matrix 
10 product and sum helps. For example, if x and y are independently distributed over Z m , 
then 2x + y and 2y-x are independently distributed as well. Note, however, that x + y 
and x - y are not independently distributed; for example, they have the same parity. The 



difference between these two examples is that the former arises from the matrix 



2 1 
-1 2 



which is invertible over Z m , while the matrix of the latter is 



1 1 
1 -1 



has determinant -2, 



15 and so is not invertible over Z m . The relationship between the two components of the 

present invention's hash pair, z and cr , is similar, so that if the present invention's 
matrices are picked carefully, z and a are independent. 

Definition 1: A sequence of matrices ) is k -invertible if for any i< j , 

20 and A defined as: 

A=det(4...^ y _ 1 -7), 

then A is nonzero, and if 2 k \ A, then k' < k . 

25 For any interval 1= the matrix B = II 7 A^-l of k -invertible is nearly 

invertible in the following sense. Let det(£) = s2 k ' for odd, nonzero s and 
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k'<k. Then Bx = a can be solved modulo 2 l ' k uniquely and then there are 2* 
solutions modulo 2 e . Thus the value k should be as small as possible. 



Lemma 3: Assume that (A x ,..., A,) is k-invertible. Then for distinct inputs 
X*X', Pr {aj) [(z,c7) = (z>')] ^ 2- 2M+k , where f(x) = a, x. x . 

Proof : Let Sx, = x, - x\ and 5v t = f(x,) - f(x') = a, x. x, - a, x. x] . By the 
Lemma 2, it can be assumed that there exists i < j such that 5x i * 0 and SXj * 0 . 
The analysis is now in terms of matrix equations over Z m involving A t 's and Sv i ; 
the inputs x, and x\ are involved implicitly in a non-linear way which will by 
Lemma 1 will cost a factor of 2 . By fixing all a r for r * i,j : 



Pr[(z,<7) = (z>')] = 

Pr \A X ■ ■ ■ A i _ x 8v i + A i • • • Aj^Svj = a,Sv i + Svj = /?] , 

a i > a j 



for appropriate fixed a and B . Rearranging (Eq. 4) for some fixed a' , it is 
equivalent to: 

Pr UA l -A j _ x -I)8v J =a',5v l + 8v J =p\ 

Let B = (A r --A J ._ l -/),andlet A=det5. As (A n ...,Aj_ x ) are k -invertible, 
A=5-2* for some odd s and k'<k. As remarked above, BSvj =a' iff 
2 k '5Vj = a' in Z m , for some fixed a' depending on a and B . As from 
Lemma 1 Pr [Svj =y]< 2~ t+2 for any fixed y , 

Pr \2 k 'Sv = a*l < 2~ e+2 * k ' < 2~ M+k (recall all operations are performed over Z m ). 
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Finally, if the event 2* Svj = a* occurs, then Pr^ [Sv ( + Svj = ytf ] < 2~' +2 , as <5v, 
depends only on a i , independently from v, . Multiplying these probabilities gives 
the lemma. 

5 The operation of the hash over several blocks is now considered. Let (z ki cr k ) be 

the output of the A: th block, so that the initial values for the fc + 1 block are F^ k \z k ) and 

F i k) (Pk) • If the ke y s for the P air ( F \ k \ F 2 k) ) are new at each block, then the initial 
positions at each block are independent, utilizing the uniformity of the F i . Given two 
messages X v ... 9 X n and X[,... 9 X' n , let i be the largest index of different blocks, so that 

10 X t *X\ and JT y =jr; for j>i. Then//(X p ...,XJ = i/(X; 5 ...,X;) iff 

(z i9 <r t ) = {z' l9 ol) . If H(X ly ... y X i _ ] ) = H{X[^X-x) , then the probability that 
( z . )C r ) = (z;,o-;) is given in Lemma 3. Otherwise, by fixing all key bits but those for 
F r {i ' l) , r = 1, 2 , the probability that (z, , cr, ) = (zj, cr/) is equal to that of a collision in the 
F r °~ }) , which is smaller than that of Lemma 3. If it is desirable to save on key size, the 

15 F y (0 can be reused. A standard union-bound shows that the bit-security of the hash 

decreases linearly with the frequency of reuse. 

The choice of the sequence A X9 ... 9 A t can be tailored to implementation 
requirements. Obviously there is a trade-off between finding k -invertible matrices for 
minimum k while ensuring that the matrix- vector products of the hashing algorithm can 
20 be efficiently computed. The implementations described infra utilize the families below. 

It should be noted that if the order of the matrices is changed, the determinants of interest 
may be identically zero. 



25 



Lemma 4. Define the following integer matrices of determinant ±1 . 



-i i 



1 -2) 



A' - 



(2 n 



, and A' = 
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10 



15 



This is now extended periodically into a longer sequence: A, = (4,,..., 4) where 
4+3* = 4' • Then A 9 is 4-invertible, and is 6-inver title. 

Proof: This can be verified by direct computation. A graph 500 of the k - 
invertibility of A, 0 is shown in FIG. 5. The y -axis is the largest k > 0 such that 

2* |det((n/ ^)-/) 5 where the interval {f...y} is given by the sequence number. 

The determinant is nonzero in all cases. Further exploitation of the noticeable 
structure in the graph 500 is possible. 

Another family of matrices is now considered whose near-invertibility is not as 
good. However, these matrices have entries from {±1,0} , yielding more efficient 
implementations. Some implementations of instances of the present invention suggest a 
1 5% speed-up when utilizing these simpler matrices. It can also be shown that the 
determinants of interest are non-zero, if not nearly odd. 

Lemma 5. Define the following matrices. 



b: 



l 0) 



,B' = 



-1 -1 
10 -1 



(0 \ 
1 1 



, and B\ = 



-1 0 
-1 -1 



20 



Set B, =5' (inrod 4) + . and B l =(B { ,...,B,). Then for any \<i< j <t , if M ^ B s , 
det(M-/)*0. 



This is a necessary condition for k -invertibility, though clearly it is insufficient in 
general. Experimentally, B t is roughly log, 5 1 -invertible. For t ~ 50, they are not as 
25 invertible as ^ 0 , so some instances of the present invention have not utilized them. FIG. 
6 is a graph 600 illustrating the k -invertibility of B t versus the log, 5 1 as / is increased. 
The k -invertibility of B t (solid line 602) plotted against log, s t (dashed line 604). Here 
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10 



the y -axis is the largest k such that 2* | det (( Jl J B s ) - /) , for all 1 < / < j < t , for the 
specified / . 

Proof: For a matrix ^4 , ^4 > 0 if each entry of A is at least 0. A < 0 if -A > 0 
and ,4 > ,4' if A - A' > 0 . | A | denotes the matrix whose entries are the absolute 
value of those of A . 

In the notation of Lemma 5, note that: 



X ] — B[B' 2 = B' 2 B f 3 — 



and X 2 = B' 3 B' 4 = B\B[ = 



--I -n 

-2 -1 



By examination, for all 1 < s < 4 , det(5[ - /) e {-1, 4} and hence nonzero, and 
Tr(B' s ) e {1,-1} and is at least 1 in absolute value. For r = 1,2 , 
det(JT r -/) = 2 * 0 and Tr(X r ) = -2 . Finally, det(#X ~ J ) ^{-4,-3,6} . 
Hence, the analysis can proceed by induction and assume j-i>2. Set 
15 M' = JI^ 2 ^ and fix r so that M = M'X r , and, by induction, it can be assumed 

that |Tr(M')|>2. 

Since det(M) = ±1 , det(M - /) = det(M) + 1 - Tr(M) , and 
det(M) + 1 = 0 or 2 , it will be enough to show that | Tr(M) | > 2 . Note that 

M>0 or M<0,for B s =±1 • | B s \, so that M = ±l-]J J .\ B, |, and ]1|5J>0. 
20 As A/' > 0 or M' < 0 , utilizing the same argument as for M , by examining X r , 

it can be seen that | M \ > \ M' \ . 

One can label the off-diagonal elements of M' by x and y , so that 



Tr(M) = Tr(M'^ r ) = -(|Tr(M')| + 2|x| + |^|), 



25 



22 



MS306485.1 

if necessary by exchanging x and y . In a similar way as showing | M \ > \ M' 1 5 
one can show | M' \ > 0 , so thus | Tr (M) \ > | Tr(M') 1 4-1 > 3 , utilizing the 
inductive assumption on M' . Hence det(M - /) * 0 , as required. 



5 The present invention's hash methods can be adjusted to account for operating 

constraints of modern processors. In particular, instances of the present invention 
incorporate parallelization which is useful in processors that have SIMD operations. For 
example, the MMX™ brand type instruction set standard on Intel Pentium II™ brand 
and later processors can operate simultaneously on 32-bit words with a throughput of 2 

10 per cycle. For brevity, a hash or MAC has s bits of security if the collision probability 
(over the choice of keys) on two distinct fixed messages is < 2~ s . Utilizing , by 
Lemma 3 each hash gives 2 • 32 - 4 - 6 = 54 bits of security, utilizing 30 32-bit words of 
key per MAC per stream, plus the key for the inter-block chaining. As two macs are 
computed, the total security is 108 bits. Utilizing MMX™ brand type instructions on a 

15 1 .06 GHz Celeron ™ brand type processor, this MAC was computed at a peak rate of 3.7 

cycles per byte. An instance of the present invention can be implemented utilizing an 
optimized SSE2™ brand type algorithm. Performance of this instance of the present 
invention depends on the context of its utilization. Other instances of the present 
invention have implemented a hash utilizing a single stream, which gives 54 bits of 

20 security. This achieved a peak rate of 2.0 cycles per byte. 

The present invention's methods are also competitive with UMAC on the length of 
a generated key. To maintain the security bounds of Lemma 3, each inter-block hash 
needs four 32-bit words of key per hash stream. Each of the present invention's blocks 
then requires 50 -2 32-bit words of key. Thus, for an 8 Kbyte message, 42 inter-block 

25 hashes are required, for 5376 bits of key per hash stream. The total for an 8 Kbyte 

message and two hash streams is 13.6 Kbits of key. This compares with the UMAC 
implementation {see, J. Black, S. Halevi, H. Krawczyk, T. Krovetz, and P. Rogaway; 
UMAC home page, 2000; URL: http: / /www. cs . ucdavis . edu/~rogaway/umac) which 
requires 8 Kbits of generated key to hash a message of any length to 60 bits of security. 
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This information is summarized with context from other algorithms in Table 1 5 
where "P.I." denotes an instance of the present invention. Data for other algorithms was 
taken from (Black, Halevi, Krawczyk, Krovetz, and Rogaway, 1999) and (Black, Halevi, 
Krawczyk, Krovetz, and Rogaway, 2000). 



TABLE 1: MAC COMPARISONS 



Algorithm 


Security 
(Bits) 


Peak Rate 
(cycles/byte) 


Key Size 
(8 Kbyte Message) 


P.I. (two streams) 


108 


3.7 


13.6 Kbits 


P.I. (one stream) 


54 


2.0 


6.8 Kbits 


UMAC 


60 


0.98 


8 Kbits 


SHA-1 


80 


12.6 


512 bits 



The proof k -invertibility of the present invention's matrix sequences is 
computational. However, it is not necessary for such sequences to be periodic. More 
complex families can improve the speed and the security of the present invention's hash. 
For example, a periodic sequence of 4x4 matrices of length 80 which is 4-invertible 
exists. The larger matrices can be utilized to consume twice as much input per iteration, 
and the longer sequence length means the inter-block chaining is less frequent, improving 
efficiency. Instances of the present invention with these implementations show this is 
17% faster than the matrices of Lemma 4, and 2% faster than the matrices of Lemma 5, 
while providing more security than the other sequences. 

Both the present invention's construction and UMAC benefit from the media 
processing instructions found on Pentium™ brand CPUs. Other platforms, such as those 
of AMD brand, or Intel's Itanium™ brand CPUs, have different advantages, including 
larger register files. These details can be exploited by the present invention to increase 
the relative performance between the present invention's MAC and UMAC. 

Since the present invention's operations are invertible, they can be combined with 
authentication and encryption with stream ciphers. The idea is rather simple: utilize the 
final hash value to define a key for a stream cipher to generate a one-time pad. Instead of 
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encrypting the input sequence x i , one encrypts y i = a i x i + 6,. , where a i and b i are random 
key words (the first quantity is the lower half of a v. in a step of the present invention's 
mac). As before, the hash value needs to be further encrypted. One needs to exercise 
caution here: if addition to 6, were omitted, one can still observe correlations. This 
5 would be the case if the inputs x i end in many zeroes and RC4 is utilized {see, J. Golic; 
Linear Statistical Weaknesses in Alleged RC4 Keystream Generator; In Advances in 
Cryptology — EUROCRYPT '97, volume 1233 of Lecture Notes in Computer Science, 
pages 226-238; Springer-Verlag, 1997 and Ilya Mironov; Not So Random Shuffles of 
RC4; In Advances in Cryptology — CRYPTO 2002, Lecture Notes in Computer Science. 
10 Springer-Verlag, 2002). Masking of correlations in RC4 could yield improvements in the 
present invention. 

The inter-block chaining can be further optimized by exploiting existing slack in 
the utilization of key. Almost twice as much key is utilized in inter-block hashing as is 
utilized for the blocks. Key reuse techniques such as a Toplitz shift (see, Black, Halevi, 

15 Krawczyk, Krovetz, and Rogaway, 1999) could address this problem. The utilization of 
a single pairwise independent hash could be sufficient. 

In view of the exemplary systems shown and described above, methodologies that 
may be implemented in accordance with the present invention will be better appreciated 
with reference to the flow charts of FIGs. 7-12. While, for purposes of simplicity of 

20 explanation, the methodologies are shown and described as a series of blocks, it is to be 
understood and appreciated that the present invention is not limited by the order of the 
blocks, as some blocks may, in accordance with the present invention, occur in different 
orders and/or concurrently with other blocks from that shown and described herein. 
Moreover, not all illustrated blocks may be required to implement the methodologies in 

25 accordance with the present invention. 

The invention may be described in the general context of computer-executable 
instructions, such as program modules, executed by one or more components. Generally, 
program modules include routines, programs, objects, data structures, etc., that perform 
particular tasks or implement particular abstract data types. Typically, the functionality 
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of the program modules may be combined or distributed as desired in various instances of 
the present invention. 

The present invention's construction can be viewed in a general manner. In FIG. 
7, a flow diagram of a method 700 of facilitating data transformation in accordance with 
an aspect of the present invention is shown. The method 700 starts 702 by obtaining 
input data X , where X = 704. Let G represent a group of unimodular matrices 

over multiplication (G = 5Z 2 ( Z )) 706 - Let H represent a group of 2-dimensional 
vectors modulo 2 l over addition (H = Z^, ) 708. Define G * H as the natural 

homomorphism taking elements of G to automorphisms of H via matrix vector 
products 710. Input data X is then embedded into G * H via mapping x i to 

(A>fi( x i)) (product of elements over G k H) to calculate the block hash, where 4 IS a 
2x2 matrix with det(4) = ±1 and 1 < / < / 712. The block hash value is then output for 
input data X 714, ending the flow 716. Given an appropriate transformation function, 
f n the present invention's construction can also be generalized to larger matrices. 

Referring to FIG. 8, another flow diagram of a method 800 of facilitating data 
transformation in accordance with an aspect of the present invention is depicted. The 
method 800 starts 802 by obtaining input data X , where X = x p ...,x, 804. Input data X 
is then broken down into blocks of length t words, each of size I -bits 806. A given £ - 
bit input x i is then embedded into a 3x 3 matrix B i over the ring of integers modulo 2' 



by x i 



4 v, 
00 1 



=: B i , where v, = ) * s a vecto r with two elements, A i is a 2 x 2 



matrix with det(4) = ±1 , and 1 < / < f 808. Here the sequence of A. 's is fixed 
independent of the input x, . The A. sequence utilized by this instance of the present 
invention is periodic, so that the implementation can be unrolled and have a small code 
footprint. The function, yj(jc) , is defined by multiplication with random odd a i , where 
a. and x are t bits, and the 21 bit result is viewed as a vector of two I -bit numbers. 
Thus, fX*) is invertible modulo 2 2e and can be implemented in one instruction utilizing 
a 2t -bit result of multiplication of two I -bit quantities. For each block of input data X , 
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10 



15 



20 



the product B = 



A z 
00 1 



of these matrices fi ( is then computed 810. The present 



invention then outputs a hash value pair (z,^' =| v,) 812, ending the flow 814. The 
collision probability is substantially near 2~ 2t by utilizing the invertibility of A, and the 
arithmetic properties of the determinants of the matrices of the form Jj[. A i -/ over Z 

(and not modulo 2'). The present invention offers simplicity and can facilitate other 

applications besides MAC applications. 

Turning to FIG. 9, yet another flow diagram of a method 900 of facilitating data 
transformation in accordance with an aspect of the present invention is illustrated. 
Typically data is processed by blocks. Thus, this instance of the present invention's 
construction is described for a map, v , that sends an input data block X = x { ,...,x t into 
£ -bit hash value v = v(X) . The method 900 starts 902 by obtaining input data block X , 
where X = *,,..., Jt, 904. A block key is then provided 906. The block key consists of t- 
bit words a. , for 1 < / < t ; the same key is reused with each block. f i :Z m ->Z 2 m is then 
defined by f f (x) = a, x, x 908. This instance of the present invention's algorithm utilizes 
fixed public matrices A X ,...,A { . These can contain very small entries so that matrix 
products can be implemented very efficiently by addition and subtraction of words. Let 
embedded vector, v. , be a column vector of two words equal to /X*,.) 910. Initialize 

'1 0 

z o 

3x3 matrix, B 0 , with vector, z Q , such that B Q = 0 1 

0 0 1 



912. Embed a unimodular 



2x2 matrix, A i , and the embedded vector, v., into a 3x3 matrix, B i such that 



4 v ; . 

0 0 1 



914. Calculate a 3x3 matrix, B, utilizing 5:=5 0 f|5, 916. This 

1=1 



provides a matrix in the form of B := 



A z 
0 0 1 



, where A has determinant ±1 . Let 



vector, z , be defined as the first two components of the third column of matrix, 5 918. 
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10 



15 



20 



• 

Define a hash value component, cr , by a = <r 0 + £ v, , , where cr 0 is an initial value for 



;=1 



the input data block X 920. Determine a hash value, v(X) , utilizing v(X) = (z, <r) 922. 
Output the hash value for the input data block X 924, ending the flow 926. 

Moving on to FIG. 10, a flow diagram of a method 1000 of facilitating a data 
transformation value length in accordance with an aspect of the present invention is 
shown. In this instance of the present invention, a hash value length is doubled by 
performing an independent hash in parallel. The method 1000 starts 1002 by obtaining 
input data block X , where X = x„...,x, 1004. A first block key, a i , and a second block 
key, b, , which is independent of the first block key, is then provided 1006, where 
1 < / < t . Define g n i<t , to g(x) = b, x, x 1008. Let embedded vector, m, , be a 2-word 
column vector, «, =&(*/) 1010. Initialize 3x3 matrix, C 0 , with vector, u 0 , such that 

1 0 

1012. Embed a unimodular 2x2 matrix, A, , and the embedded 



0 1 " 
0 0 1 



vector, w, , into a 3 x 3 matrix, C, such that C, := 



4 M , 
0 0 1 



1014. Calculate a 3x3 



matrix, C , utilizing C := C 0 f\ C, 1016. This provides a matrix in the form of 



C:= 



A w 
0 0 1 



, where A has determinant ±1 . Let vector, w , be defined as the first 
two components of the third column of matrix, C 1018. Define a hash value component, 

v , by v = v 0 + ^ u t 1020, where v 0 is an initial value for the input data block X . 

i=i 

Determine a first hash value, u(X) , utilizing u(X) = (w,v) 1022. Obtain a second hash 
value v(X) = (z,<r) via an instance of the present invention 1024 such as, for example, 
the method described supra for FIG. 9. Compute an overall hash value, H , utilizing 
H = (v(X),u(X)) = O.cr, w,v) hash value for the input data block X 1026, ending the 
flow 1028. For / < 50 , if H = (z,a,w,v) and H' = (z',<j',w',v') are the hash values 
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computed from two distinct inputs, then the collision probability of the present invention 
is Pr[H = H'] < 2~ AM0 , where the probability is taken over the choice of key. 

In FIG. 1 1, a flow diagram of a method 1 100 of facilitating inter-block chaining 
for a data transformation in accordance with an aspect of the present invention is 
illustrated. The method 1 100 starts 1 102 by obtaining a first hash value, v'(X) = (z\a f ) , 

for an input block X 1 104. Uniform hash functions such as, for example, F x {k) and F} k) , 
are then obtained for a k^ input data block 1 106. The input data block X hash value is 
then chained to the fc* input data block by setting cr 0 = F 2 (<j') 1 108 and 
1 0 

B Q = 0 1 1 1 10 for the k^ input data block. A hash value for the k th input 



0 0 1 

10 data block is then determined 1112, ending the flow 1114. The hash value for the k th 
input data block can then be utilized to chain a subsequent block and so forth. These 
inter-block functions can be repeated to save on key length, at some cost of security. The 
inter-block chaining can be further optimized by exploiting existing slack in the 
utilization of key. Almost twice as much key is utilized in inter-block hashing as is 

15 utilized for the blocks. Key reuse techniques such as a Toplitz shift (see, Black, Halevi, 

Krawczyk, Krovetz, and Rogaway, 1999) could address this aspect. The utilization of a 
single pairwise independent hash could be sufficient. 

Looking at FIG. 12, a flow diagram of a method 1200 of facilitating data 
encryption in accordance with an aspect of the present invention is depicted. Since the 

20 present invention's operations are invertible, they can be combined with authentication 

and encryption with stream ciphers. The method 1200 starts 1202 by obtaining input data 
block X , where X = x v ...,x t 1204. Derive a unimodular matrix-based hash value per 

the present invention 1206. Utilize at least a portion of hash value data employed during 
determination of the hash value to facilitate in defining a stream cipher key 1208. 
25 Generate a one-time pad employing the stream cipher key 1210. Encrypt input data 

block component x i ( 1 < / < / ) with function, y. , defined by y. = a i x i + b t , where a f and 
b i are random key words and a, is provided by the hash value data 1212. The hash value 
is then encrypted 1214. In other instances of the present invention, the hash value is not 
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required to be encrypted and in still other instances of the present invention, the hash 
value data is only employed as a seed to a cipher process. The stream cipher and 
encrypted hash value (MAC) is then output 1216, ending the flow 1218. Typically, MACS 
are appended to the data that they represent before the combined data is transmitted. 
5 In order to provide additional context for implementing various aspects of the 

present invention, FIG. 13 and the following discussion is intended to provide a brief, 

general description of a suitable computing environment 1300 in which the various 

v. 

aspects of the present invention may be implemented. While the invention has been 
described above in the general context of computer-executable instructions of a computer 

10 program that runs on a local computer and/or remote computer, those skilled in the art 
will recognize that the invention also may be implemented in combination with other 
program modules. Generally, program modules include routines, programs, components, 
data structures, etc., that perform particular tasks and/or implement particular abstract 
data types. Moreover, those skilled in the art will appreciate that the inventive methods 

1 5 may be practiced with other computer system configurations, including single-processor 

or multi-processor computer systems, minicomputers, mainframe computers, as well as 
personal computers, hand-held computing devices, microprocessor-based and/or 
programmable consumer electronics, and the like, each of which may operatively 
communicate with one or more associated devices. The illustrated aspects of the 

20 invention may also be practiced in distributed computing environments where certain 
tasks are performed by remote processing devices that are linked through a 
communications network. However, some, if not all, aspects of the invention may be 
practiced on stand-alone computers. In a distributed computing environment, program 
modules may be located in local and/or remote memory storage devices. 

25 As used in this application, the term "component" is intended to refer to a 

computer-related entity, either hardware, a combination of hardware and software, 
software, or software in execution. For example, a component may be, but is not limited 
to, a process running on a processor, a processor, an object, an executable, a thread of 
execution, a program, and a computer. By way of illustration, an application running on 

30 a server and/or the server can be a component. In addition, a component may include 
one or more subcomponents. 
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With reference to FIG. 13, an exemplary system environment 1300 for 
implementing the various aspects of the invention includes a conventional computer 
1302, including a processing unit 1304, a system memory 1306, and a system bus 1308 
, that couples various system components, including the system memory, to the processing 
5 unit 1304. The processing unit 1304 may be any commercially available or proprietary 

processor. In addition, the processing unit may be implemented as multi-processor 
formed of more than one processor, such as may be connected in parallel. 

The system bus 1308 may be any of several types of bus structure including a 
memory bus or memory controller, a peripheral bus, and a local bus using any of a 

10 variety of conventional bus architectures such as PCI, VESA, MicroChannel, ISA, and 
EISA, to name a few. The system memory 1306 includes read only memory (ROM) 
13 10 and random access memory (RAM) 1312. A basic input/output system (BIOS) 
1314, containing the basic routines that help to transfer information between elements 
within the computer 1302, such as during start-up, is stored in ROM 1310. 

1 5 The computer 1 302 also may include, for example, a hard disk drive 1 3 1 6, a 

magnetic disk drive 1318, e.g., to read from or write to a removable disk 1320, and an 
optical disk drive 1322, e.g., for reading from or writing to a CD-ROM disk 1324 or other 
optical media. The hard disk drive 1316, magnetic disk drive 1318, and optical disk drive 
1322 are connected to the system bus 1308 by a hard disk drive interface 1326, a 

20 magnetic disk drive interface 1328, and an optical drive interface 1330, respectively. The 
drives 1316-1322 and their associated computer-readable media provide nonvolatile 
storage of data, data structures, computer-executable instructions, etc. for the computer 
1302. Although the description of computer-readable media above refers to a hard disk, a 
removable magnetic disk and a CD, it should be appreciated by those skilled in the art 

25 that other types of media which are readable by a computer, such as magnetic cassettes, 
flash memory cards, digital video disks, Bernoulli cartridges, and the like, can also be 
used in the exemplary operating environment 1300, and further that any such media may 
contain computer-executable instructions for performing the methods of the present 
invention. 

30 A number of program modules may be stored in the drives 1316-1322 and RAM 

1312, including an operating system 1332, one or more application programs 1334, other 
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program modules 1336, and program data 1338. The operating system 1332 may be any 
suitable operating system or combination of operating systems. By way of example, the 
application programs 1334 and program modules 1336 can include a data transformation 
scheme in accordance with an aspect of the present invention. 

A user can enter commands and information into the computer 1302 through one 
or more user input devices, such as a keyboard 1340 and a pointing device (e.g., a mouse 
1342). Other input devices (not shown) may include a microphone, a joystick, a game 
pad, a satellite dish, a wireless remote, a scanner, or the like. These and other input 
devices are often connected to the processing unit 1304 through a serial port interface 
1344 that is coupled to the system bus 1308, but may be connected by other interfaces, 
such as a parallel port, a game port or a universal serial bus (USB). A monitor 1346 or 
other type of display device is also connected to the system bus 1308 via an interface, 
such as a video adapter 1348. In addition to the monitor 1346, the computer 1302 may 
include other peripheral output devices (not shown), such as speakers, printers, etc. 

It is to be appreciated that the computer 1302 can operate in a networked 
environment using logical connections to one or more remote computers 1360. The 
remote computer 1360 may be a workstation, a server computer, a router, a peer device or 
other common network node, and typically includes many or all of the elements 
described relative to the computer 1302, although, for purposes of brevity, only a 
memory storage device 1362 is illustrated in FIG. 13. The logical connections depicted 
in FIG. 13 can include a local area network (LAN) 1364 and a wide area network (WAN) 
1366. Such networking environments are commonplace in offices, enterprise-wide 
computer networks, intranets and the Internet. 

When used in a LAN networking environment, for example, the computer 1302 is 
connected to the local network 1364 through a network interface or adapter 1368. When 
used in a WAN networking environment, the computer 1302 typically includes a modem 
(e.g., telephone, DSL, cable, etc.) 1370, or is connected to a communications server on 
the LAN, or has other means for establishing communications over the WAN 1366, such 
as the Internet. The modem 1370, which can be internal or external relative to the 
computer 1302, is connected to the system bus 1308 via the serial port interface 1344. In 
a networked environment, program modules (including application programs 1334) 



32 



MS306485.1 



and/or program data 1338 can be stored in the remote memory storage device 1362. It 
will be appreciated that the network connections shown are exemplary, and other means 
{e.g., wired or wireless) of establishing a communications link between the computers 
1302 and 1360 can be used when carrying out an aspect of the present invention. 

5 In accordance with the practices of persons skilled in the art of computer 

programming, the present invention has been described with reference to acts and 
symbolic representations of operations that are performed by a computer, such as the 
computer 1302 or remote computer 1360, unless otherwise indicated. Such acts and 
operations are sometimes referred to as being computer-executed. It will be appreciated 

10 that the acts and symbolically represented operations include the manipulation by the 

processing unit 1304 of electrical signals representing data bits which causes a resulting 
transformation or reduction of the electrical signal representation, and the maintenance of 
data bits at memory locations in the memory system (including the system memory 1306, 
hard drive 1316, floppy disks 1320, CD-ROM 1324, and remote memory 1362) to 

1 5 thereby reconfigure or otherwise alter the computer system's operation, as well as other 

processing of signals. The memory locations where such data bits are maintained are 
physical locations that have particular electrical, magnetic, or optical properties 
corresponding to the data bits. 

FIG. 14 is another block diagram of a sample computing environment 1400 with 

20 which the present invention can interact. The system 1400 further illustrates a system 

that includes one or more client(s) 1402. The client(s) 1402 can be hardware and/or 
software {e.g., threads, processes, computing devices). The system 1400 also includes 
one or more server(s) 1404. The server(s) 1404 can also be hardware and/or software 
{e.g., threads, processes, computing devices). The server(s) 1404 can house threads to 

25 perform transformations by employing the present invention, for example. One possible 

communication between a client 1402 and a server 1404 may be in the form of a data 
packet adapted to be transmitted between two or more computer processes. The system 
1400 includes a communication framework 1408 that can be employed to facilitate 
communications between the client(s) 1402 and the server(s) 1404. The client(s) 1402 

30 are connected to one or more client data store(s) 1410 that can be employed to store 

information local to the client(s) 1402. Similarly, the server(s) 1404 are connected to one 
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or more server data store(s) 1406 that can be employed to store information local to the 
server(s) 1404. 

In one instance of the present invention, a data packet transmitted between two or 
more computer components that facilitates data protection is comprised of, at least in 

5 part, information relating to a data transformation system that utilizes, at least in part, at 
least one unimodular matrix to provide a transformation value for input data to facilitate 
in protection of the input data. 

It is to be appreciated that the systems and/or methods of the present invention 
can be utilized in data protection transformation facilitating computer components and 

10 non-computer related components alike. Further, those skilled in the art will recognize 
that the systems and/or methods of the present invention are employable in a vast array 
of electronic related technologies, including, but not limited to, computers, servers and/or 
handheld electronic devices, and the like. 

What has been described above includes examples of the present invention. It is, 

1 5 of course, not possible to describe every conceivable combination of components or 

methodologies for purposes of describing the present invention, but one of ordinary skill 
in the art may recognize that many further combinations and permutations of the present 
invention are possible. Accordingly, the present invention is intended to embrace all 
such alterations, modifications and variations that fall within the spirit and scope of the 

20 appended claims. Furthermore, to the extent that the term "includes" is used in either the 
detailed description or the claims, such term is intended to be inclusive in a manner 
similar to the term "comprising" as "comprising" is interpreted when employed as a 
transitional word in a claim. 
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